On Tuesday 18 December 2007, Jim Fulton wrote:
> > If we register "absolute_url" in a layer which isn't
> > used in a skin, then this view is not available as
> > traversable view because of the missing layer/named skin
> > configuration.
> Which does nothing to "protect" you from components registered for the
> default layer or for IBrowserRequest.
Yes, because in our code we never ever expose the registrations in the default
layer. We consider that layer hostile. :-) (Eventually we hope to rid
ourselves from even importing any configuration that registers into the
browser layer, but the Zoep packages need some refactoring to do this in a
IBrowserRequest is a big problem, since it is the base interface for all
layers. I used to scan the ZCML for components registered for
IBrowserRequest. I have not done this in a while, but should make it a habit
again. I hope that security analysis tools, such as z3c.securitytool will
eventually help us identify those problems.
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -